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77?e MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 
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THE MAILING DATE OF THIS COMMUNICATION. 



- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). In no event, however, may a reply be timely filed 
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earned patent term adjustment. See 37 CFR 1 .704(b). 
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DETAILED ACTION 
Specification 

The examiner suggests the applicants to provide the serial numbers of all 
copending applications mentioned on page 1. 

Claim Rejections - 35 USC § 102 

1 . The following is a quotation of the appropriate paragraphs of 35 
U.S.C. 102 that form the basis for the rejections under this section made in this 
Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 
122(b), by another filed in the United States before the invention by the applicant for patent or 
(2) a patent granted on an application for patent by another filed in the United States before 
the invention by the applicant for patent, except that an international application filed under 
the treaty defined in section 351(a) shall have the effects for purposes of this subsection of an 
application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

2. Claim 1 rejected under 35 U.S.C. 102(e) as being anticipated by Vaidya 
US (6,279,113). 

As per claim 1: Vaidya discloses a node of a network maintaining an instance of 
an intrusion prevention system, the node comprising: 

A memory module for storing data in machine-readable format for retrieval and 
execution by a central processing unit; (Item 39 of FIG. 2 and Col 6, Lines 53-56) 
and 
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An operating system comprising a network stack comprising a protocol driver, 
(Items 30,34 and 36 of FIG2. and Col 6, Lines 11-18) 

A media access control driver and an instance of the intrusion prevention system 
implemented as an intermediate driver and bound to the protocol driver and the 
media access control driver, (Col 7, Lines 12-24) 

the intrusion prevention system comprising an associative process engine and an 
input/output control layer, the input/output control layer operable to receive at 
least one of a plurality of machine-readable network-exploit signatures from a 
database and provide the at least one machine-readable network-exploit 
signatures to the associative process engine, (Col 7, lines 24-36, and Col 6, lines 
7-11) 

the associative process engine operable to compare a packet with the at least 
one machine-readable network-exploit signature and determine a 
correspondence between the packet and the at least one machine-readable 
network-exploit signature. (Col 6, Lines 18-21 and Col 7, Lines 32-36 ) 

As per claim 2: Vaidya discloses the method of claim 1 , wherein the database is 
maintained in storage device of the node. (Col 6, lines 3-7 ) 

As per claim 3: Vaidya discloses the node according to claim 1 , wherein each of 
the plurality of machine-readable network-exploit signatures comprise a 
respective directive that defines instructions to be executed upon determination 



Application/Control Number: 10/003,819 Page 4 

Art Unit: 2136 

of a correspondence between the packet and the respective exploit 
signature.(Col 6, Lines 18-26) 

As per claim 4: Vaidya discloses the node according to claim 1 , wherein, upon 
determination of a correspondence between the packet and two or more of the 
plurality of machine-readable network-exploit signatures, each of the directives of 
the two or more machine-readable network-exploit signatures are executed by 
the intrusion prevention system. (Col 7, Line 47 through Col 8 line 15) 

As per claim 5: Vaidya discloses the node according to claim 1 , wherein, upon 
determination of a correspondence between the packet and two or more of the 
plurality of machine-readable network-exploit signatures, an alternative directive 
is executed, the alterative directive dependent upon the combination of the two or 
more network-exploits signatures having a correspondence with the packet. ( Col 
9, Line 62 through Col 10 Line 16 and Col 11 lines 5-14) 

As per claim 13: Vaidya discloses a computer-readable medium having stored 
thereon set of instructions to be executed, the set of instructions, when executed 
by a processor, cause the processor to perform a computer method of: 
comparing a packet with a plurality of machine-readable network-exploit 
signatures;( Col 6, Line 57 through Col 7 Line 6) 
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determining a correspondence between the packet and at least a subset of the 
plurality of machine-readable network-exploit signatures; and (Col 6, Lines 57- 
63) 

generating a record of the subset with which the correspondence is made.( Col 7, 
Lines 8-1 1 / the reaction module takes steps to trace the session associated with 
the packet ) 

As per claim 14: The computer readable medium according to claim 13, further 
comprising a set of instructions that cause, when executed by the processor, the 
processor to perform a computer method of: 

determining a correspondence between the packet and a subset of the plurality 
of machine-readable network-exploit signatures, each machine-readable 
network-exploit signature comprising a directive; and executing, by the 
processor, each directive of the record of machine-readable 
signatures. (Col 7, Lines 24-45) 

> 

As per claim 15 Vaidya discloses the computer readable medium according to 
claim 13, further comprising a set of instructions that cause, when executed by 
the processor, the processor to perform a computer method of executing a 
directive dependent on the machine-readable network-exploit signatures within 
the subset. ( Col 6, Lines 18-26) 
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Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 102 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

4. Claim 6 rejected under 35 U.S.C. 103(a) as being unpatentable over 
Vaidya US (6,279,113) in view of Shanklin etal. US (6,578,147). 



As per claim 6: Vaidya discloses a method of analyzing a packet at a node of a 
network by an intrusion prevention system executed by the node, comprising: 
reading the packet by the intrusion prevention system; (Col 6, lines 57-59 and 
item 58 of FIG. 3) 

comparing the packet with a plurality of machine-readable network-exploit 
signatures; and (Col 6, Line 57 through Col 7 Line 6) 

but Vaidya doesn't explicitly show determining a correspondence between the 
packet and at least two of the network-exploit signatures. However Shanklin 
disclose an intrusion detection system comprising intrusion detection sensors 
that forward packets from different sessions to a network analyzer to be used in 
detecting certain types of composite signatures (Col 5, Lines 29-39). Therefore it 
would be obvious to one with ordinary skill in the art the time the invention was 
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made to modify Vaidya system with the teaching Shanklin to include a step for 
determining the correspondence between packet and at least two signatures. 
One would be motivated to do so in order to enable the system to detect 
correlations among signatures in different sessions(Col 6, Lines 4-8). 



As per claim 7: Vaidya discloses the method according to claim 6, further 
comprising generating a record of the at least two of the plurality of machine- 
readable network-exploit signatures with which a correspondence with the packet 
is made. (Col 8, Lines 44-53) 

As per claim 8: Vaidya discloses the method according to claim 7, further 
comprising transmitting the record to a management node connected to the 
network. (Col 5, Lines 47-51) 

As per claim 9: Vaidya discloses the method according to claim 7, further 
comprising logging the record in a database. (Col 9, Lines 21-26) 

AS per claim 10: Vaidya discloses the method according to claim 6, further 
comprising executing, by the intrusion protection system, a respective directive of 
each of the at least two machine-readable signatures determined to correspond 
with the packet. (Col 7, Line 47 through Col 8 line 15 ) 
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AS per claim 1 1 : Vaidya discloses the method according to claim 6, further 
comprising executing, by the intrusion protection system, at least one directive of 
the machine-readable network exploit signatures of the record determined to 
have a correspondence with the packet. (Col 9, Line 62 through Col 10 Line 16 
and Col 11 lines 5-14). 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Firas Alomari whose telephone number is 
(571) 272-7963. The examiner can normally be reached on M-F from 7:30 am - 
4:00 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, AYAZ SHEIKH can be reached on (571) 272-3795. The 
fax phone number for the organization where this application or proceeding is 
assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 



free). 



Gregory morse 
supervisory pateot examiner 
technology center 2100 
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